spacepoet Posted September 14, 2011 Share Posted September 14, 2011 Hi: I was reading a tutorial about making password protected pages and how to make the more secure by using MD5 to encrypt (I think) the password. But. I'm not sure if I don't understand the concept of what it does, or maybe 'm using it wrong. This is the code I am using: Database Table: CREATE TABLE `myAdmins` ( `id` int(4) NOT NULL auto_increment, `myUserName` varchar(65) NOT NULL default '', `myPassword` varchar(65) NOT NULL default '', PRIMARY KEY (`id`) ) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=utf8; INSERT INTO myAdmins VALUES("1","abc", "123"); I was told in the tutorial to develop something like this (I think I'm doing it wrong): CREATE TABLE `myAdmins` ( `id` int(4) NOT NULL auto_increment, `myUserName` varchar(65) NOT NULL default '', `myPassword` varchar(65) NOT NULL default '', PRIMARY KEY (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=2 ; INSERT INTO `myAdmins` VALUES(1, 'abc', md5('123')); My Login.php page: <?php include('../include/myConn.php'); session_start(); session_destroy(); $message=""; $Login=$_POST['Login']; if($Login){ $myUserName=$_POST['myUserName']; //$md5_myPassword=md5($_POST['myPassword']); // Encrypt password with md5() function. $myPassword=$_POST['myPassword']; //$result=mysql_query("select * from myAdmins where myUserName='$myUserName' and myPassword='$md5_myPassword'"); $result=mysql_query("select * from myAdmins where myUserName='$myUserName' and myPassword='$myPassword'"); if(mysql_num_rows($result)!='0'){ session_register("myUserName"); header("location:a_Home.php"); exit; }else{ $message="<div class=\"myAdminLoginError\">Incorrect Username or Password</div>"; } } ?> <html> ... </head> <form id="form1" name="form1" method="post" action="<? echo $PHP_SELF; ?>"> <? echo $message; ?> User Name: <input name="myUserName" type="text" id="myUserName" size="40" /> <br /><br /> Password: <input name="myPassword" type="password" id="myPassword" size="40" /> <input name="Login" type="submit" id="Login" value="Login" /> </form> ... </html> Protected Page: <? session_start(); if(!session_is_registered("myUserName")){ header("location:Login.php"); }?> <html> ... ... </html> I know I need to uncomment the 2 lines of code in Login.php and remove the 2 that I'm currently using, and use the Database Table that has the MD5 code, but whenever I do it will not let me login. The Login.php page (with the Database Table without the MD5 code) works fine. I just wanted to know if this is the right way to use MD5 to make logins even more secure, of if I am totally off on understanding it. Any help or code tweaks would be appreciated. Thanks! Quote Link to comment Share on other sites More sharing options...
Pandemikk Posted September 14, 2011 Share Posted September 14, 2011 Basically here's how it works: You get your password then you use the md5() function to hash it. Then when the user logs in, it matches the hashed password to the one in the database. So if the passwords in the database aren't the md5 hashes of their password then it's not going to work. You should also add a salt to your passwords to make them harder to crack. Quote Link to comment Share on other sites More sharing options...
trq Posted September 14, 2011 Share Posted September 14, 2011 You need to use md5 again when your checking your users credentials or they will never find a match. $result=mysql_query("select * from myAdmins where myUserName='$myUserName' and myPassword='MD5($myPassword')"); Also, the tutorial your using looks like it's pretty dated. session_register has long been deprecated. Quote Link to comment Share on other sites More sharing options...
spacepoet Posted September 14, 2011 Author Share Posted September 14, 2011 Hi: Thanks for the replies. Is there a better or more modern tutorial you can show me? I just want to create something like what I just posted, but if there is a more modern way to do it I would love to learn it. Thanks. Quote Link to comment Share on other sites More sharing options...
Pandemikk Posted September 14, 2011 Share Posted September 14, 2011 Use isset($_SESSION[$whatever]); As far as md5 goes, when someone registers to your site you will need to store the md5 hash of their password into the database. Have you been doing that? Are the passwords in the database md5 hashes? Quote Link to comment Share on other sites More sharing options...
spacepoet Posted September 14, 2011 Author Share Posted September 14, 2011 Hi again: 1st - so I should set my session code like this: <? session_start(); //if(!session_is_registered("myUserName")) isset($_SESSION[$myUserName]); { header("location:Login.php"); }?> <html> ... ... </html> Just in that file or in the other file? Wasn't sure about that. MD5 - maybe I need to change the code to what thorpe posted: $result=mysql_query("select * from myAdmins where myUserName='$myUserName' and myPassword='MD5($myPassword')"); The code was definitely scambled in the database. I insert the "myAdmins" table via phpmyAdmin, and then use the Login.php page for the admin area. I just wanted to know if I'm using the MD5 for the right purpose - in other words does this make logging in more secure? What I can't figure out is if I set a password to "123" and when it is insert into mySQL it becomes "asdagdauihdadGFtyda" (or whatever), how a user can type in "123" and be granted access to to site when the password is clearly not"123"?? Quote Link to comment Share on other sites More sharing options...
AyKay47 Posted September 14, 2011 Share Posted September 14, 2011 alright ill explain this using code.. and first off the isset() code you posted needs to be in an if conditional.. alright lets say that you store the password as "asdagdauihdadGFtyda" in your database... when a user types in their password (we will say 123), you will check the md5 hashed version of what they typed in to the database hashed password like so.. <?php $db_password = "asdagdauihdadGFtyda"; //password grabbed from database $password = $_POST['password']; //user typed password if($db_password == md5($password)){ // the password typed matches the $db_password }else{ // passwords don't match } ?> Edit: quick note.. an md5 hash will be 32 characters... the string i chose is simply for example purposes Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted September 14, 2011 Share Posted September 14, 2011 FYI - using the md5 hashing function on a password does not make your code more secure and it does not make logging in more secure. It makes the stored passwords more secure in case someone obtains the contents of your database, because the actual passwords are not stored, the md5 hashed value of the password is what is stored. Password hashing is one of the most basic security considerations that must be made when designing any application that accepts passwords from users. Without hashing, any passwords that are stored in your application's database can be stolen if the database is compromised, and then immediately used to compromise not only your application, but also the accounts of your users on other services, if they do not use unique passwords. By applying a hashing algorithm to your user's passwords before storing them in your database, you make it implausible for any attacker to determine the original password, while still being able to compare the resulting hash to the original password in the future. 1st - so I should set my session code like this: ... ^^^ You need an exit statement after the header() redirect to prevent the remainder of the code on your 'protected' page from executing. The only thing a header statement does is send a http header to the browser. The php code continues running until it gets to the end of your page or to an exit; statement. Quote Link to comment Share on other sites More sharing options...
spacepoet Posted September 14, 2011 Author Share Posted September 14, 2011 OK, so my "CheckLongin.php" page should look like this: : <? session_start(); isset($_SESSION[$myUserName]); { header("location:Login.php"); exit; }?> <html> ... ... </html> ?? One other thing - how do I do it so the session will timeout after 20 minutes on being inactice? Do I add it to the code listed above? Thanks! Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted September 14, 2011 Share Posted September 14, 2011 IF( isset . . . Quote Link to comment Share on other sites More sharing options...
AyKay47 Posted September 14, 2011 Share Posted September 14, 2011 OK, so my "CheckLongin.php" page should look like this: : <? session_start(); isset($_SESSION[$myUserName]); { header("location:Login.php"); exit; }?> <html> ... ... </html> ?? One other thing - how do I do it so the session will timeout after 20 minutes on being inactice? Do I add it to the code listed above? Thanks! read this Quote Link to comment Share on other sites More sharing options...
spacepoet Posted September 14, 2011 Author Share Posted September 14, 2011 Hi: There are a lot of examples there .. which one do you think would work best with how my file is set-up? Quote Link to comment Share on other sites More sharing options...
AyKay47 Posted September 15, 2011 Share Posted September 15, 2011 the one that is checked is the one that i linked you to. since im feeling lazy.. Quote Link to comment Share on other sites More sharing options...
spacepoet Posted September 16, 2011 Author Share Posted September 16, 2011 Oh .. OK, got it .. let me play around with it and see how I do .. Thanks! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.